FAQs
1. What is the difference between DNS Firewall and Infloblox DDI or any other DDI solution?
DNS Firewall operates at the DNS layer and is responsible for inspecting, analyzing and securing DNS traffic. There are no changes required to the network. Deployment at an organization level is relatively easy (less than 30 mins) and it offers effective protection against DNS based attacks. In addition, the solution provides complete visibility into all DNS traffic across an organization. A DDI solution on the other hand provides a centralized platform to manage DNS and DHCP services and has an IPAM component. It has a more involved deployment effort and is targeted towards network management within an organization.
2. Is this a DDI solution?
This is not a DDI solution. It is a DNS based protection solution and works with your exsiting DDI solution.
3. Do I need DNS Firewall if I already have a Fortinet, PaloAlto, Symantec Bluecoat, Forcepoint Next Generation Firewall etc.?
Most of our enterprise clients already have one of these Next Generation Firewall solutions already in place. DNS Firewall should be part of your defence-in-depth strategy and should be a complementary solution to these Next Generation Firewall solutions and not a replacement. The best way to know if you need DNS Firewall is to do a PoC with us in monitoring mode. The deployment just takes less than 30 minutes and in monitoring mode only provides visibility on the DNS Security gaps in your enterprise. Our clients are always surprised when they find out the gap they have in their DNS layer in spite of their existing Firewall solutions. The gap is due to not having a solid protection at the DNS Layer and that is where DNS Firewall shines. Most of our clients who do a PoC with us, end up signing up multi-year contracts with us given the value the product beings to their overall security posture.
4. Why should we adopt DNS layer protection?
DNS layer protection should be your first level of protection as part of your defence-in-depth strategy. Gaining visibility into your DNS traffic provides valuable information about the overall health of your network. In addition, certain types of malicious activity can only be detected by a DNS protection solution. Attacks such as DGA, DNS Tunneling can only be detected using a DNS layer protection solution like DNS Firewall.
5. How do I go about deploying DNS Firewall on my enterprise network consisting of 1000s of devices and multiple networks?
Our recommended option and one that works with most of our clients is to do a PoC on a few networks in monitoring mode. The network level deployment is quick and provides instant visibility on DNS traffic from the moment it is deployed. After analyzing traffic and tweaking content and security filtering policies, the next step will be to enable blocking mode where malicious and inappropriate content will be blocked for users on the network.
6. Will DNS Firewall work if I have a network with dynamic DNS?
Yes, it is possible to set-up DNS Firewall on a network with dynamic IP. Please refer to set-up instructions at networks with dynamic IP.
7. How longs does it take to deploy DNS Firewall at the network level of a large enterprise?
A network level deployment of DNS Firewall in monitoring mode ideally takes less than 30 mins.
8. Will DNS Firewall slow down my network?
DNS Firewall has a global anycast network. This means that requests are distributed to the nearest available DNS resolvers. Our feedback from clients is an improvement in DNS and subsequent performance due to the way our anycast is set-up. The malicious and content filter add minimal overhead over plain DNS resolvers such as Google and Cloudflare who do not perform any filtering. Independent performance benchmarks have ranked DNS Firewall performance to be better than Google in many locations.
9. How robust is DNS Firewall infrastructure?
We take availability very seriously given the critical nature of DNS in the functioning of the Internet. We have a globally distributed network of resolvers with redundancy built at every level. In summary, the DNS Firewall infrastructure is highly robust and resilient at all levels
10. Is there an option to show a custom block page when I go live in blocking mode?
Yes, you can set-up your custom block page and have DNS Firewall re-direct to this block page when a domain is filtered either due to security or content filtering restriction. Please refer to custom block page set-up instructions at custom block page.
11. I have a requirement in my guest Wifi where I do not want to show the custom block page, I would just like to show a NXDomain error when a domain is blocked. How do I do this?
Yes, this is possible. You can achieve this by checking guest-wifi setting while setting up a network.
12. How do I deal with certificate error with https traffic when users are redirected to custom block page?
Since the custom block page domain doesn't have a public IP address, it is not possible to have a public signed certificate. The only option is to use a self-signed certificate and for the certificate to be trusted on the user browser. Alternately, if you are hosting your own custom block page, please distribute the self-signed certificate to your end users.
13. Is there a way to use a public signed certificate for custom block page instead of using the self-signed certificate DNS Firewall recommends?
Since the custom block page domain doesn't have a public IP address, it is not possible to have a public signed certificate.
14. Is there a way to ingest DNS logs from DNS Firewall to our SIEM solution?
Yes, it is possible to ingest DNS logs into an SIEM of your choice that supports CSV based log ingestion. Reach out to support team for details on the integration.
15. How do I go about blocking malicious traffic such as malware, ransomware, phishing, C&C and so on?
In the configuration section of DNS Firewall web application, enable malicious protection. This will block all domains that pose a threat such as domains categorized as malware, phishing, C&C servers, ransomware, spam and so on.
16. How accurate is your malicious domain classification? Do I need to add operational overhead to deal with false positives?
Our threat detection is the best in class as confirmed by multiple clients. Our false rate is generally less than 2% which means out of 100 threats flagged, we expect around two domains to be wrongly classified. Since the false positive domains tend to be risky domains in most cases, users should not be expected to be impacted and hence we don't add any operational overhead. On the contrary due to the protective nature of DNS Firewall, the security team should be freed up to do more strategic activities due to an improved security posture.
17. What is the need for roaming client protection when I already have a network level deployment?
Roaming clients can be used as an additional layer to network level protection or also deployed as a single layer of DNS Firewall protection. Roaming clients are available for Windows, OS X, iOS and Android devices. Roaming clients can be easily deployed through MDMs and allow for granular protection, monitoring and quarantine of infected devices.
18. Is there a way to allow blocked traffic?
Yes, DNS Firewall provides a block list at an account which can be used to block domains that are deemed inappropriate by an organization.